Working With The sudoers File

Hi everyone,

I’m new here, and this is my first post. I’m currently working on a blog for my website about securely managing users on Linux servers. A question crossed my mind while writing, and I’d appreciate any input.

I’m working on the section about editing the sudoers file. The scenario I’m addressing is as follows: “Two folks are on the Software team. We just want to let them run commands related to software. We can either make two separate entries in the sudoers file for each user, or we can make things simpler using aliases.”

I created two aliases:

User_Alias SOFTWAREADMINS = elie, issa
Cmnd_Alias SOFTWARECOMMANDS = /usr/bin/apt update, /usr/bin/apt upgrade, /usr/bin/apt install *

While writing, I asked myself, “What if I want these users to only install specific software rather than allowing them to install anything?” I could handle it like this:
Cmnd_Alias SOFTWARECOMMANDS = /usr/bin/apt update, /usr/bin/apt upgrade, /usr/bin/apt install nginx, /usr/bin/apt install postfix, /usr/bin/apt install nano, /usr/bin/apt install mysql

But that’s not what I want. I’m considering a method to encapsulate the packages inside brackets or a way to avoid typing the command repeatedly, allowing me to only change the package name. Any ideas?

Thanks in advance!

1 Like

As soon as I know, there is no way to do that. But there is a workaround.

  1. Create a bash script listing allowed packages for installation.

packages=("vim" "nano" "ip-tools")

for i in ${packages[@]}
  if [[ $i == $1 ]]
    /usr/bin/apt install $i && exit 0
echo You have no permission to install that package!
  1. Save the file to /usr/bin/ipkg and change the permissions to 700.
$ chmod 700 /usr/bin/ipkg
  1. Change the sudoers file and allow users to run the script file.
test_user    ALL = /usr/bin/ipkg

With this method, users can install only allowed packages by using ipkg command:

$ sudo ipkg vi
You have no permission to install that package!

t$ sudo ipkg vim
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
vim is already the newest version (2:9.0.1378-2).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Hope it helps.


Thanks for the idea! I will test that out!

Honestly, if you’re unsure about users’ ability to responsibly handle package installations with apt, it’s likely not the best idea to give them that privilege.

Occasionally, there might be installation issues or errors with apt. Users granted the access to use apt should ideally have a good understanding of its proper usage.

Instead of giving users the ability to install packages, keep them as standard users and handle package installation through an admin or a request system.

What do you guys this about this?

1 Like

I think you misunderstood my question. I agree with you a little, but my inquiry wasn’t about implementing this in a production environment. I was merely curious about how to avoid repeatedly specifying the command with the package I want to permit for installation.

oh, maybe. I was referring to the scenario you gave. But yes, my suggestion was geared to real-world permission policies.

1 Like

@ivansalloum @serhattsnmz actually there is a much easier way to do the same. instead of creating the packages as an array which can be long, see the zsh auto-plugins, they are long and if you forget to do the [[ array[*] ]] then it will only access the last element, so either you write like this {#defined} -1 so as to access the last segmental element.

a way around is to create the users array and if the name of the user in the array then issue the permission such as

for i in $(users)
    if [[ "${user}" = "name" ]]
    sudo chown {whoami} permission 

and it is done, you dont have to do anything else. You can also write this in the GO programming. i thought i wouldnt not write the code today :grinning: but here i am.

alles gut,

1 Like

Create an account for both users.
Setup both users in /etc/sudoers
When needed have them do a sudo apt install …
You can see their use of sudo. tail /var/log/auth.log as root

Bro. That’s the easy way. I know it. I even separate the sudo log from the auth.log file. But your suggestion is not practical since they can fill the whole server with packages while I‘m sleeping. Yeah, it is right, I wouldn’t give this permission to people I don’t trust them. I just was curious about a walk around.

I am sorry you are having that problem. If you can’t trust your
employees that is really sad.
If they are not following company directives perhaps action
has to be taken.

Bro, did you understand my question? I think you didn’t!

It just seems to me that you may be over complicating a task.

1 Like

It is a common issue in Ubuntu. When you create a new user there there is no option to add it directly to sudoers group like in Windows. Then you have to do two commands and you may miss this in the meantime to have this issue of The user is not in sudoers group. They need to update the function to precise upon user creation if he is sudoer group or not. Then it facililate the life.

1 Like

I like that there’s no option in the creation of a new user. This approach adheres to the principle of least privilege, a fundamental security practice ensuring users are granted only the permissions necessary for their work. So we have to take a delibrate action to give users this privldge:

usermod -aG sudo <username>
adduser <username> sudo

I totally agree with @hydn,

We must be cautious with privileges, as granting full access can leave the system vulnerable to attackers. We should limit each user’s access to only what they need.

It is called Principle of Least Privilege (PoLP) in information security, as @hydn mentioned.

More information:

I don’t think anyone gets my point and what I asked :slight_smile:

Actually, I fully understand your question and your concern @ivansalloum. And I need to say that in case you misunderstand my answer, I think your point of view is completely in line with PoLP. Limiting downloading apt applications is good for security.

Btw, did you have a chance to try the script I sent you?